entra-agent-id
Installation
Summary
Provision OAuth 2.0 identities for AI agents with per-instance credentials and audit trails via Microsoft Graph.
- Creates Agent Identity Blueprints (application templates), BlueprintPrincipals (service principals), and per-instance Agent Identities, each with independent permission grants and audit scope
- Implements two-step
fmi_pathtoken exchange for autonomous and on-behalf-of (OBO) flows, with support for Workload Identity Federation, client secrets, and cross-tenant scenarios - Provides Microsoft.Identity.Web.AgentIdentities for .NET and a containerized Microsoft Entra SDK for AgentID sidecar supporting Python, Node, Go, and Java
- Grants application and delegated permissions scoped per Agent Identity via
appRoleAssignmentsandoauth2PermissionGrants; credentials live on the Blueprint, not on individual Agent Identities
SKILL.md
Microsoft Entra Agent ID
Create and manage OAuth 2.0-capable identities for AI agents using Microsoft Graph. Every agent instance gets a distinct identity, audit trail, and independently-scoped permission grants.
Quick Reference
| Property | Value |
|---|---|
| Service | Microsoft Entra Agent ID |
| API | Microsoft Graph (https://graph.microsoft.com/v1.0) |
| Required role | Agent Identity Developer, Agent Identity Administrator, or Application Administrator |
| Object model | Blueprint (application) → BlueprintPrincipal (SP) → Agent Identity (SP) |
| Runtime exchange | Two-step fmi_path exchange (autonomous and OBO) |
| .NET helper | Microsoft.Identity.Web.AgentIdentities |
| Polyglot helper | Microsoft Entra SDK for AgentID (sidecar container) |